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501143.000019 
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Application-Specific Information-Processing 
Method, System, and Apparatus 
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The benefit of 35 U.S.C. § 120 is claimed for all of the above referenced 
commonly owned applications. The contents of the applications referenced in the tables 
above are not necessarily identical to the contents of this application. The applications 
referenced in the tables above are referred to herein as the "Related Applications." 

All references cited hereafter are incorporated by reference to the maximum 
extent allowable by law. To the extent a reference may not be fully incorporated herein, 
it is incorporated by reference for background purposes and indicative of the knowledge 
of one of ordinary skill in the art. 

BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION 

The present invention relates generally to ring arithmetic operations and 
particularly to efficient modular exponentiation of large numbers. 

DESCRIPTION OF RELATED ART 

20 Modem society has seen information transmission dramatically grow in 

prevalence, and the importance of information security has likewise grown. Transmitting 
information over an open network — such as the Intemet — involves many security 
challenges. 

The most common Intemet protocol for transmitting secured information is 
25 Transport Layer Security (TLS), descendent of Secure Sockets Layer (SSL). For clarity 
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and because of the protocols' similarities, reference will be made to SSL/TLS throughout 
this application. To improve speed, SSL/TLS uses symmetric encryption to encrypt 
much of the transmitted data. But symmetric encryption is vulnerable because 
communicants must share a private key. 

For improved security, SSL/TLS uses the slower asymmetric encryption to share 
symmetric keys. But every session requires sharing of a new private key because key 
reuse would substantially increase vulnerability. So in practice new sessions are 
estabUshed frequently, forcing heavy usage of asymmetric encryption. 

Some of the principal Intemet transactions using this type of security are e- 
commerce transactions. In a transaction of this type, the consumer transmits identifying 
information as well as credit-card or other financially sensitive data to a vendor. The 
amount of data that must be encrypted to complete the transaction is very small, typically 
less than twenty lines of text. The time spent by a server encrypting this data is 
insignificant compared with the time necessary to encrypt and decrypt the symmetric key 
in the asymmetric key-exchange portion of the transaction. Because each session 
requires a new key, which must be encrypted and then decrypted using the slow 
asymmetric encryption process, whenever a significant number of sessions are 
estabhshed, the majority of server resources may be dedicated to the key exchange 
protocol. 

BRffiF SUMMARY OF THE INVENTION 

A preferred embodiment is a data encryption method performed with ring 
arithmetic operations using a residue number multiplication process wherein a first 
conversion to a first basis is done using a mixed radix system and a second conversion to 
a second basis is done using a mixed radix system. In some embodiments, a modulus C 
is be chosen of the form - L, wherein C is a w-bit number and L is a low Hamming 
weight odd integer less than 2^"^'^^^. And in some of those embodiments, the residue mod 
C is calculated via several steps. P is spUt into 2 w-bit words Hi and Li. Si is calculated 
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as equal to Li + (Hi2''^) + (Hi2'^) + . . . + (Hi2'^) + Hi. Si is split into two w-bit words H2 
and L2. S2 is computed as being equal to L2 + (H22^^) + (H22^) + . . . + (H22"^) + H2, S3 
is computed as being equal to S2 + (2''^ + . . . + 2""^ + 1). And the residue is determined by 
comparing S3 to 2"^. If S3 < 2^ then the residue equals S2. If S3 > 2^, then the residue 
equals S3 - 2^. 

Further features and advantages of the invention will become apparent from the 
following detailed description and accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The following drawings form part of the present specification and are included to 
further demonstrate certain aspects of the present invention. The figures are not 
necessarily drawn to scale. The invention may be better understood by reference to one 
or more of these drawings in combination with the detailed description of specific 
embodiments presented herein. 

FIGS. lA and IB show a flowchart of a shotgun multiplication process, in 
accordance with an embodiment of the present invention. 

FIG. 2 shows a flowchart of a sHding window s-ary exponentiation, in accordance 
with an embodiment of the present invention. 

FIG. 3 shows a flowchart of an exponentiation mod pq using Chinese Remainder 
Theorem, in accord^ce with an embodiment of the present invention. 

FIG. 4 shows a flowchart of a castout process, in accordance with an embodiment 
of the present invention. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

Rivest Shamir Adleman (RSA) is one of the most common types of public key 
cryptography and is used for key exchanges in SSL/TLS. RSA bases its security claims 
on the difficulty of factoring large numbers. The public and private keys are fimctions of 
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a pair of large prime numbers. Cryptanalyzing the encrypted message using only the 
public key could be of comparable difficulty to factoring the product of two large primes. 

The two large prime numbers p and q are used to generate the members of a key 
pair. The product is computed: N = pq. An encryption key e is chosen such that e and (p 
- l)(q - 1) are relatively prime. The decryption key d = e"^ (mod (p - l)(q - 1)) is 
computed from e using the extended Euclidean algorithm. For a plaintext message S, a 
ciphertext message A is created by computing A = mod N. Then computing S = A*^ 
mod N decrypts ciphertext A, giving plaintext S. 

The Residue Number System (RNS) can be used to improve efficiency. Given a 
list of pair-wise relatively prime moduh mi, m2, . . . mk, called an RNS basis, the RNS 
representation of a number X with respect to this RNS basis is the k-tuple (xi, X2, . . . Xk) 
where Xi = X mod mi. The importance of the residue number system to numerical 
processes is that the operations of addition, subtraction, and multipUcation modulo M 
(where M is the product of the moduli) can be performed without the use of carry 
operations between the moduli. In other words, each coordinate in the k-tuple can be 
operated on independently and in parallel 

The Chinese Remainder Theorem (CRT) of elementary number theory states that 
given an RNS basis there is a one-to-one correspondence between the RNS k-tuples and 
the residues modulo M, where M is the product of the moduli of the basis. 

CRT may be stated as follows. For a given Ust of positive integers mi, m2, . . . mk 
such that the greatest common divisor (gcd) of any pair mi, mj (i j) is 1 , then for any list 
of non-negative integers ri, ra, . . . rk such that ri < mi (i = 1, k), there exists a unique 
integer X such that X (mod mi) = ri (i = 1, k) and X < mi m2 . . . mk, and conversely, each 
such X determines a unique such list of ri. 

La RSA decryption it is necessary to calculate S = A^ mod N. Now, N = pq and 
gcd (p,q) = 1 since p and q are both prime. So CRT uniquely determines S mod N by the 
pair (S mod p, S mod q). 
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Smodp =(A^modN)modp 




Since N is a multiple of p 
where a = A mod p 
for some integer u, and 
forv = dmod(p - 1) 



== (a" * " mod p) (a'^ mod p) mod p 
= ((a^ ' ^ V mod p)(a^ mod p) mod p 
= ((1)" mod pXa"" mod p) mod p 
= a^ mod p 



by Euler's theorem 



Similarly, S mod q = mod q, where b = A mod q, and h = d mod (q - 1). 

Consider the value U = ((sp - sq) g mod p) q + sq where sq = S mod p, sq = S mod 
q, andgissuchthatgq=lmodp. U<(p-1) q + q-1 <pq = N. AlsoUmodq = sq = S 
mod q and 

Umodp = (((sp - sq) gmodp) q+ sq) modp 



= ((sp - sq) gq mod p + sq) mod p 
= ((sp - sq) 1 mod p + sq) mod p 
= sp mod p 
= S mod p 



So by the CRT, U = S mod N. 



Hence, in order to calculate S = A^ mod N 



1) Compute: 



a) sp = (A mod p)^ ™^ * ■ mod p 

b) sq = (A mod q)^ ™^ " ^ ^ mod q 

2) FindgwithO<g<p andgq= 1 modp 

3) Compute S = ((sp - sq) g mod p) q + sq 
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Thus the problem of calculating S = mod N where A, d and N are 2n bit 
numbers, is reduced to one of calculating two values sp and sq which are n bit numbers. 
This represents a considerable saving in computation time. 

The Mixed Radix System (MRS) expression of a given integer X modulo M (as 
above) is 

X = x#i + x#2mi + x#3mim2 + x#kmim2 . . . mk-i 0 < x#i < mi 

The x#i in the above are called the MRS digits of X. They are unique and can be 
calculated from the RNS residues Xi, X2 . . . Xk (Xi = X mod mO by the following recursion: 

x#i = Xi 

x#2 ^ (X2 - x#i)mi'^ mod m2 

x#3 = ((x3 - x#i)mi"^ - x#2)m2"^ mod ma 

x#j = ( . . . ((Xj - x#i)mr^ - x#2)m2"^ - ... - x#j-i)mj.i'^ mod mj 

The Montgomery Modular MultipUcation (MMM) facilitates repetitive modular 
reduction operations, mod N, where N is an odd integer constant. PubUc key 
cryptography depends heavily on arithmetic operations modulo a multiple-precision odd 
integer. So the performance of a pubUc key cryptosystem depends heavily on the speed 
with which it executes those operations. Multiplications and divisions have particularly 
large influences on processing time. The Montgomery method particularly facilitates 
repeatedly executing multiplications. The Montgomery method is a method for 
computing multiple-precision modular multipUcation with a processing cost of about two 
multiple-precision multiplications. Multiple-precision modular reduction usually has a 
poor performance compared with multiple-precision multipUcation, so the Montgomery 
method can significantly improve performance. 

Suppose two numbers are to be multiplied. First, they are each transformed into 
Montgomery space by taking mod p of each. Then the Montgomery multiplication is 
COTied out, and its result is inversely transformed out of Montgomery space. The 
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transformation and inverse transformation each have a processing load of about one 
multiple-precision multiplication. Consequently, modular exponentiation suffers lower 
overhead due to the Montgomery conversion and the inverse Montgomery conversion 
because it carries out modular multiplications repeatedly and therefore it can be reaUzed 
by a fast implementation. The Montgomery method can benefit many pubHc key 
algorithms, including RS A, that use modular exponentiation, S = A"^ mod N, as their 
basic operation. But the Montgomery method will not necessarily lead to efficient 
implementation if only some multiplications are required due to transform and inverse 
transform overhead. 

Various MMM methods are known. See, for example, Peter L. Montgomery, 
"Modular Multiplication Without Trial Division", Mathematics of Computations, vol 44, 
no. 170, pp.519-521, April 1985; Stephen R, Dusse and Burton S. Kaliski, Jr., "A 
Cryptographic Library for the Motorola DSP 56000", Advances m Cryptography, Proc 
Eurocrypt'90, Lecture Notes In Computer Science no. 473, pp. 230-244, Springer-Veriag, 
1990; and the methods of U.S. Pat. No. 4,514,592 to Miyaguchi, U.S. Pat. No. 5,101,431, 
to Even, U.S. Pat. No. 5,321,752 to Iwamura, U.S. Pat. No, 5,448,639, to Arazi, and U.S. 
Pat. No. 5,513,133 to Gressel. 

SHOTGUN MULTIPLICATION 

FIGS. 1 A and IB depict a shotgun multiplication process. The processing occurs 
in parallel mathematically independent units. In a precomputation phase 12 mi, M, and 
W are defmed 14. The mi are k-bit moduli (mi, m2, . . . m2t), where the moduU mi are 
pairwise mutually prime and t > (n+l)/k, v^here n is the bit length of the numbers being 
multipUed. M is defined as the product of the first t moduli: M = mim2 , . . mt. W is 
defmed as the product of the second t moduli: W = mHimt+2 . . . m2t. By k-bit moduU, we 
mean 2^"^ < mi < 2^. This means that M > 2"^^ and W > 2""^^ Additionally, mi'^ mod mj 
are calculated for i j = 1 . . . 2t with i^]. 

During the precomputation phase 12, pi is also defined 16 such that p is an n-bit 
number and pi = p mod m^ for i = t+1 . . . 2t. Additionally, p'\ is calculated for i = 1 . . . t. 
Note that p must be relatively prime to M and W, and p is usually prime. 
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During a setup phase 18, Ai and Bi are defined 20 for n-bit numbers A and B. To 
multiply A and B modulo p, the numbers are rendered in RNS notation so that Ai = A 
mod mi and Bi = B mod mi and pi = p mod mi for i = 1 . . . 2t in both RNS bases. 

The rest of the shotgun multipUcation process depicted in FIGS. 1 A and IB all 
falls within the body phase 22. 

It takes as parameters arguments A and B from 20 and modulus p in Residue 
Number System (RNS) notation from 16 for a first RNS basis (moduU m^ . . . mO and for 
a second RNS basis (moduh mt+i, . . . m2t) from 14. Its output 40 is R = ABM"^ mod p 
expressed in the both the first and the second RNS bases. This allows the outputs 40 to 
be used as inputs in subsequent multiplications. As in 14, M is the product of the moduU 
in the first RNS basis. And as also in 14, W is the product of the moduh in the second 
RNS basis. 

Shotgun multiplication faciUtates the necessary computations by working in the 
first basis where computing a multiple of M is easy and then converting to the second 
basis where division by M is easy. 

This basis conversion is done by means of deriving the Mixed Radix System 
(MRS) digits of a number in one basis, and computing the corresponding sum in the other 
basis. This technique lends itself to parallel computations. In general the process 
performs the following sequence of steps: 
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step 1 : In the first basis compute Q mod M such that AB + Qp = RM 
for some integral value R. This is equivalent to the 
computation: 

AB + Qp = OmodM 

or 

Q = -ABp'^ modM. 
Step 2: Convert Q to the second basis, Q mod W. 
Step 3 : Compute R in the second basis, R mod W. 

R = (AB + Qp)M'^modW 
Note that M"^ exists in the second basis (mod W) but not in 
the first where M mod M = 0. Also note that 
Rmodp -(AB + Qp)M"^modp 
= ABM'^ + QM"^pmodp 
= ABM"^modp, 
which is the answer we are looking for. 
Step 4: Convert R back to the first basis so that it can be used as 
input to the next multiplication. 

The strength of this process lies in the fact that there are many operands that do 
not depend on A or B, depending only on p or the mi. These operands can be 
precomputed one time for many different p in the same size range and stored for repeated 
reference. 

The set of Qi's is the set of RNS values corresponding to Q = -ABp"^ mod M. The 
RNS values Qi are computed as Qi = -AiBip'\ mod mi for i == 1 » . . t in 24. Note that the 
Qi's are computed without reference to Q, and p"^ mod M is a precomputed value as 
described above. 

In Steps 26-30, Q is then converted firom the RNS basis (mi, m2, . . . mt) to RNS 
basis (mt+u mt+2, . . . m2t) by computing the MRS expansion Q = Q#i + Q#2mi -i- Q#3mim2 
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+ . . . + Q#tmim2 . . . mt-i. To perform this expansion, Qi = 0 for i = t + 1 . . . 2t. Q#i = Qi. 
Counter j is set to zero. 

In step 28, the counter is incremented: j = j +1. 

In step 29 J is compared to t. If j is less than or equal to t, then Q#j is computed 

in 30: 

Q#j = ( . ((Qj - Q#i)mr^ - Q#2)ni2"^ - . Q#j.i)mj.f \ and the second basis values 
of Qi are updated: 

Qi = Qj + Q#j(mim2 ... mj.i) for i = t + 1, ... 2t. 

Then the process returns to step 28, where the counter is again incremented, etc. 

But if, in step 29, j is greater than t, the conversion of Q to the second basis is 
complete, i.e. Qi = Q mod m^, for i = t + 1 ... 2t. 

Then in 31 the set of Ri's is the set of RNS values corresponding to R mod p = 
ABM'^ mod p. The RNS values Ri are computed as Ri = (AiBi + Qipi)(M"^) mod mi for i 
= t + 1 . . . 2t. Note that the Ri's are computed without reference to R. Also note that (M" 
^) mod mi is also a precomputed value. 

Because this multiplication process is used recursively when doing exponential 
operations, R is converted from the second RNS basis (mt+i, mt+2, . . . m2t) to the first RNS 
basis (mi, m25 . . . mt) by computing the MRS expansion R == R#t+i + R#t4-2mt+i + 
R#t+3mt+imt+2 + ... + R#2tmt+imt+2 ... m2t-i. 

Thenin32,Ri=0fori=l ...t. R#t+i=Rt+i. Counter j is set to t+1. 

In step 34, the counter is incremented: j = j +1. 

In step 36, j is compared to 2t. If j is less than or equal to 2t, then R#j is computed 
in step 38: 

R#j - ( ... ((Rj - R#t+i)mt+r^ " R#t+2)mt+2'^ - R#j-i'^)mj.i-^ modmj 
Ri = Ri + R#j(mt+imt+2 ... m2t) for i = 1 ... t 

Then the process loops back to step 34, where the counter is again incremented 
and so on. 

If, in step 36, j is greater than 2t, the result 40 is obtained: 
Ri = (ABM"^ mod p) mod mi, fori =1 ...2t. 
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If another iteration of the shotgun multiplication process of FIGS. lA and IB 
follows, then this Ri would go into the subsequent shotgun multiplication iteration. The 
subsequent iteration would include body 22, with the Ri being used in place of Aj. 

In an embodiment, shotgun multipUcation is best described as follows: 

Shotgun ring operations for cryptographic purposes, or for other 
technical, commercial or governmental purposes, are high-speed ways of 
adding, negating, subtracting and multiplying nxmibers. 

The Chinese Remainder Theorem gives a constructive definition 
of a useful ring isomorphism between two important commutative rings 
with imity, the ring Z / mZ of integers modulo m, and a related product 
ring P, the product being over factor rings indexed by the members of an 
appropriate index set of pairwise relatively prime divisors of m. 

Shotgun arithmetic proceeds by performing a succession of operations 
involving members a, b, c, . . . of the ring Z / mZ, as follows: 

Step 1: "Shatter" member a into many "shards", one belonging to 
each factor ring F of the product ring P. In other words, 
use the CRT to "encode" the integer a into the integer a 
mod f if the factor ring F is equal to Z / C;. Similarly 
shatter members b, c, 
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step 2(a): Appropriately operate on the F-shards of the members of Z / 
mZ involved in the first operation. Do this separately, for 
each F, so as to accumulate a family of result-shards 
corresponding to the first operation of the desired succession 
of operations, one result-shard belonging to each factor ring 
F. 



Step 2(b): Remain at the shard level, and do the next appropriate 

operation within each factor F, producing a next family of 
result-shards, one for each F. 



Step 2(c): And again. And again. . . . Never departing from the shard 
level, which is to say from operations withn each single 
factor ring F. 

Step 3: When the desired succession of ring operations on numbers 
belonging to the ring Z/mZ has been mimicked by an 
actual succession of corresponding families of F ring 
operations on shard-level in the separate factor rings F, it is 
necessary to "unshatter" the family of final shard-results, one 
in each factor ring F. In accordance with the CRT, this is 
done by the Euclidean Algorithm methodology. 



SLIDING WINDOW S-ARY EXPONENTIATION 

FIG. 2 depicts a method for exponentiation mod prime p through repeated 

squarings and multiphcations. This flow introduces data, specifically the mi moduh that 

are essential in the shotgun multiphcation process used in each of the demarcated boxes. 

A shotgun multiplication process is detailed in FIGS. 1 A and IB. The exponentiation 

method ultimately calculates A^ mod p. 
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In 42, message A has a bit length of n bits. The message A could be any number 
or other information represented in a digital format. Method parameters are shown in 44. 
Li 46, k-bit moduU (mu m2, . . . m2t) are chosen, where the moduli mi are pairwise 
relatively prime and t > (n+l)/k. And also in 46, M is defined as the product of the first t 
moduU: M = mim2. . »mt. 

As a first part of a key 48 a modulus p is mput 50, where p is an n-bit prime 
modulus. 

La 52 the message A and modulus p are rendered in RNS notation so that Ai = A 
mod mi and pi = p mod mi for i = 1 . . .2t. The modular inverse of p is also calculated p'S = 
p"^ mod mi for i = 1 ... 2t. 

The second parameter 44 is a sliding window width s shown in 53. The sliding 
window width s is chosen (and fixed for a given implementation) by weighing the cost of 
storage -'t(k)(2^) bits against the cost of computation '-2^ + n + n/s multiplications. 
Sliding window widths in the range of 1 to 6 would be common. 

Using the shotgun multiplication process in 54, Lji is computed such that Lji = 
(A%^"^ mod p) mod mi, for j - 0. . .2'-l and i - 1 . . .2t. And: 
Lo = l 
Li=A 

L2 = SG(Li,A) = LiAM-^ 

Lj = SG(Lj.i,A) = Lj.i(AM"^) = A^'^M^'^AM'^) = A}M'^ 

where SG( ) denotes shotgun multiplication. 

As a second part of key 48, input 60 is a 2n-bit exponent d. In 62 a variable c is 
set equal to d mod (p-1). And in 64 variable pointer chits is set equal to the number of 
bits in c. 

In step 65, a variable b is set equal to the first s bits of c. In step 66, a variable Ti 
is set equal to Lbi. 
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The determination 68 is then made of whether there are more bits in c to process. 
If yes, then in 70 b = s bits of c, starting at cbits. Then in 71 , cbits = cbits-s. 

The shotgun multiplication process is repeated s times in 72, each time setting T = 
T^M"^ mod p, where Ti = T mod mi, wherein T is realized in RNS notation, Ti = T mod 
mi, i = 1 . . , 2t. The shotgun multiplication process is then vised in 74 to set T = TLbM"^ 
mod p, wherein T is realized in RNS notation, Ti = T mod mi, i = 1 . . . 2t. 

The method then loops to make determination 68 again and so on. 

If the determination 68 is no, the shotgun multiplication process is used in 76 to 
set T = TM^^^^^'^^ mod p, wherein T is realized in RNS notation, Ti = T mod mi, i = 1 ... 
2t, and wherein delta(c) is the number of powers of M"^ accumulated in the shotgun 
multiplications, including squarings, in the 68-70-72-74 loop. Because delta(c) is solely 
determined by c, it can be precomputed. 

Finally, in 78 T is recovered from Tj using the Chinese Remainder Theorem 
(CRT). In fact, T = A^ mod p. 

EXPONENTIATION MOD PQ USING CRT 

FIG. 3 depicts a method of using CRT to break a 2n-bit exponentiation into two n- 
bit exponentiations (which in practice are each one eighth as expensive.) It requires that 
the prime factors p and q of the modulus N be known. It employs the sliding window 
exponentiation process described in the second flow. 

The process begins in 80 with a 2n-bit message A. Then a key 82 is chosen 84. 
The components 84 of key 82 include n-bit prime numbers p and q, and a 2n-bit exponent 
d. 

In step 86, Ap and Aq are computed: 
Ap = A mod p 
Aq = A mod q 

Then the sliding window exponentiation process is used in 88 to compute Ap*^ 
mod p in 90 and Aq^ mod q in 92. 

Finally in 94, A*^ mod (pq) is constructed using CRT. 
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CASTOUT 

The shotgun multiplication method can be used more efficiently by choosing the 
bases (m^ . . . m2t) in ways that make the modular calculations simpler. A w-bit number 
C is a "castout modulus" if it is of the form 2^ - L, where L is a low Hamming weight 
odd integer less than 2^^'^^^^ i.e., C = 2^ - 2^^ - 2^ - ... - 2^^ - 1 , where (w - 3)/2 > x i > X2 
> . . . > Xk > 0 and k is much less than w. The "castout order" of C is defined to be one 
less than the Hamming weight of L. 

The residue of a modulo < 2^^ a w-bit castout modulus can be found using only 
2k + 3 additions, 2k multiplications by 1^ (shifts) and a single bit comparison, where k is 
the castout order of the modulus. 

FIG. 4 illustrates the castout process. 

Let C be a w-bit castout modulus of order k in 96 such that 
C = 2^«2^^-2^-..,-2^^"l. 

And let P be a number < 2^"^ in 9 8 . 

Then in 100, consider P as two w-bit words Hi and Li wherein 

P = 2'^Hi + LuwithLi<2^andHi<2^ 
Step 1: This step 102 computes Si 104: 

Si = Li + (Hi2''^) + (Hi2^^) + ... + (Hi2^^) + Hi 

Step 2: This step 106 splits Si 108 and computes S2 1 10: 
Consider Si as two w-bit words H2 and L2 
Such that Si =2^H2 + L2 

Compute S2 = L2 + (H22^^) + (H22^) + . . . + (H22"^) + H2 

Step 3: This step 112 computes S3 1 14: 

Compute ,S3 = S2 + (2''^ + ... + 2"^ + 1) 
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step 4: This step 116 compares S3 > 2* 1 18, leading to either S3 - 1 
120 or S2 122: 

If S3 > 2"* (the w + 1 bit of S3 is 1) then output S3 - T (the 
low w bits of S3), otherwise output S2 

Justification: 

P =2"^!+^ 

= Hi*(C + 2''^ + ...+2'*+l) + Li 
= Li + 2''^Hi + ... +2'*Hi +Hi +HiC 
= Si+HiC, 

so Si =PmodC. 

Also, Si = Li + (2"' + . . .+ 2^* + l)Hi 
<Li+2(2''*)Hi 
<2'^ + 2(2^'^"^^'^)2*' 
= 2^(2^^-'^'^ + l) 
< 2^(2^"^'^^) 

_ 2(3w+l)/2 

Si = T'Qi + L2, with L2 < 2^^ and H2 < ii^^'^^ 

Si = 2^H2 +L2 

= H2(C + 2''* + ...+2'*+l) + L2 

= L2 + 2''^H2 + ... + 2'*H2 + H2 + H2C 

= S2 + H2C, 

so S2 = Si = P mod C. 
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Also, S2 = L2 + (2"' + . . .+ 2^^ + 1)H2 
<L2 + 2(2'"H2) 
<2'' + 2(2(^-^>^)2('^^^ 

= 2^ + 2^^^'^^^ 

<2C 

IfS3>2^,theii 

S3 - 2^ = S2 + (2"^ + . . . + 2^^ + 1) - 2^ 
= S2-C 
= P mod C, and 

and 

S3 =S2-C<2C-C 
= C 

Otherwise, if S3 < 1^, then 

S2 + (2"^ + ...+2^^+l)<2^ so 

S2<C 

And S2 = P mod C as shown above 

Computation of Si and S2 take k + 1 additions and k shifts each. Computation of 
S3 takes one addition, and the decision on what to output is a one-bit comparison. These 
total 2k + 3 additions, 2k shifts and one one-bit comparison. 

In order to find the residue, modulo C, therefore, it is only necessary to calculate 
104 Si using Step 1 in 102, calculate 1 10 S2 using Step 2 in 106, calculate 1 14 S3 using 
Step 3 in 1 12 and perform a one-bit compare 1 1 8 of S3 against 2^ and output either S3 - 
2^ in 120 or S2 in 122, depending on the result of the compare 118. 

The residue calculated in this fashion can be used in a variety of processes, 
particularly to perform large nxmiber exponentiation in public key cryptography. 



501143.000008 Austin 171871.1 



-19- 



GENERALIZATION OF CASTOUT 

Some embodiments select castout moduli from two sets of numbers: (1) big and 
heavy numbers or (2) little and light numbers. 

A definition of a "w-big" number used by some embodiments is: a w-big number 
is a number less than 2^ but close to 2^. A definition of a "w-heavy" number used by 
some embodiments is: a w-heavy number is a number less than and with Hamming 
weight close to w. 

A definition of a '^v-little" number used by some embodiments is: a w-little 
number is a number greater than 2^ but close to 2^. A definition of a "w-light" number 
used by some embodiments is: a w-Ught number is a number greater than 2^ and with 
Hamming weight close to 1. 

Another definition of a "w-big" number used by some embodiments is: a w-big 
nxmiber is greater than > 2^ - 2^, where g is a number less than 1 , That is, the upper w(l 
- g) bits of the w-big number are 1 when the w-big number is written in bin^ notation. 
For example, one embodiment defines a w-big w-heavy number by g = 1/2 and |x - w| < 
6. 

Some embodiments achieve computational advantages by using a castout 
modulus that is both w-big and w-heavy. Some embodiments achieve computational 
advantages by using a castout modulus that is both w-little and w-Ught. The detailed 
computational discussion in this application of the use of a castout modulus that is both 
w-big and w-heavy applies to the use of a castout modulus that is both w-little and w- 
light with minor changes that are obvious to one of ordinary skill in the art. 

Other moduh than w-big and w-heavy moduli as castout moduli would be used in 
other embodiments, and are therefore contemplated as falling within the scope of the 
claimed invention. And other moduli than w-httle and w-light moduli as castout moduh 
would be used in other embodiments, and are therefore contemplated as falling within the 
scope of the claimed invention. 
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OTHER EMBODIMENTS 

A factor in slowing some public-private key cryptosystem processes is their 
requirement for modular exponentiation of large numbers. Even though this description 
most thoroughly focuses on encryption/decryption embodiments, many other 
embodiments are contemplated. Examples of other embodiments — readily apparent to 
typical practitioners of this technical area — include (1) tomography/transforming data, 
(2) decryption/encryption, (3) keyless encryption, (4) combination 
transforming/detransforming, (5) random number generation/monte carlo, (5) simulation 
of real-life scenarios, etc. Those applications typically require heavy exponentiation and 
for that and other reasons would be particularly well adapted to application of the present 
invention. 

hi an embodiment, shotgun multipUcation is used to facilitate high security log- 
ins that use high-degree-sparse polynomials. One example is Purdy. See G.B. Purdy, "A 
high security log-in procedure", Communications of the ACM, 17 (1974), 442-445. 

In another embodiment, shotgun multipUcation facilitates random number 
generation by staying shattered, generating new random strings indefinitely, with a clean- 
up unshatterer following to provide random numbers. One function example is LCPRN. 

hi a further embodiment, shotgun multipUcation facilitates Monte Carlo. 

hi a yet another embodiment, shotgun multipUcation facilitates simulation. 

hi a still further embodiment, shotgun multiplication facilitates speed acceleration 
of computer games. 

hi an embodiment, shotgun multipUcation facilitates genetic algorithms. 

In another embodiment, shotgun multiplication facilitates fractals. 

In a further embodiment, shotgun multiplication facilitates morphing. 

In a yet another embodiment, shotgun multiplication facilitates morphing 
particularly well for use in movie production. 

In a still further embodiment, shotgun multiplication facilitates movie special 
effects, including random and nonrandom processes. 



501143.000008 Austin 171871.1 



-21- 



In other embodiments, shotgun multipUcation facihtates secret sharing, some 
going into higher dimensional vector spaces, some over larger fields, and some involving 
ramp schemes. 

In another embodiment, shotgun multiplication facilitates improved 
implementation of the invention disclosed in U.S. Patent No. 5,485,474, "Scheme For 
Information Dispersal and Reconstruction," Rabin et al. 

In further embodiments, shotgun multiphcation facilitates extremely precise real 
calculations. Some of these are done as large-integer modular calculations, and some of 
these are done as large-modulus modular calculations. Error growth is minimized in 
some, and eliminated in others. 

In yet other embodiments, shotgun multiplication facilitates 
transforms/retransforms. Examples of transforms/retransforms faciUtated include 
Fourier, Laplace, Walsh, etc. Examples of classes facilitated include classical harmonic 
analysis, wavelet transforms, tomography, scattering, inverse scattering, sonar, and 
stealth technology. 

Any element in a claim that does not explicitly state "means for" performing a 
specified function, or "step for" performing a specific function, is not to be interpreted as 
a "means" or "step" clause as specified in 35 U.S.C. § 1 12, ^ 6. In particular, the use of 
"step of in the claims herein is not intended to invoke the provision of 35 U.S.C. § 1 12, 
If 6. 

It should be apparent from the foregoing that an invention having significant 
advantages has been provided. While the invention is shown in only a few of its forms, it 
is not just limited to those forms but is susceptible to various changes and modifications 
without departing from the spirit thereof 

APPENDIX A — GLOSSARY 

This Glossary defmes words as they are used throughout this application. This 
Glossary lists base words rather than word variations. But the meanings of word 
variations — such as "connecting," "connect," and "connected" for the base word 
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"connection" — are also given meaning according to their logical relationship to the base 
word. 

* means equality or congruence, depending on the context. This is clear to 
typical practitioners of this technical area, 
means approximately. 

"algoritiim" means a process for completing a task. An encryption algorithm is 
the process, typically with mathematical characteristics, to encrypt and decrypt messages. 

"ARP" means Address Resolution Protocol. To map an IP address into a 
hardware address, a computing device uses the ARP protocol which broadcasts a request 
message containing an IP address, to which a target computing device replies with both 
the original IP address and the hardware address. 

"Asymmetric encryption" means encryption used in a public-private key 
cryptosystem. 

"Asymmetric key cipher" means a public-private key cryptography system. 

"Authentication" means the process of verifying that a file or message has not 
been altered in route from the distributor to the recipient(s). 

"Cipher" means a cryptographic algorithm used to encrypt an decrypt files and 
messages. 

"Ciphertext" means the disguised (or encrypted) file or message. 

"Computing device" means a device having at least one processor and at least one 
memory device, wherein the processor can process data that can be stored in the memory 
device before and/or after processing, or a group of devices having that capacity in 
combination. By this definition, examples of a computing device include computer 
personal computer, palm computing device, notebook computer, server, mainframe, 
network of computing devices with coordinated processing or storage, network of 
components functioning together as a computing device wherein any single component 
may not be a computing device in its own right, etc. As another example, components of 
a computing device may be connected across the Intemet. Other examples of computing 
devices could include boards, chips, exponentiators, multipliers, etc. 
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"Connection" means any connection that is adapted to carry communication, 
whatever the supporting technology. Examples of connections include hard wire 
connections such as phone lines, Tl lines, DSL, fiber optic, Ethernet, twisted pair, etc. 
Other examples of connections include wireless connections such as those operating by 
electromagnetic waves, wireless optics (e.g., infrared), etc. Further examples are a 
logical connection between two processes on the same system, and a connection between 
two processes sharing a common memory space. 

"Cryptanalysis" means the art of breakmg cryptosystems. It also means the 
process of looking for errors or weaknesses in the implementation of an algorithm or of 
the algorithm itself 

"Cryptography" is the art of creating and using cryptosystems. 

"Cryptosystem" means the entire process of using cryptography. This includes 
the actions of encrypting and decrypting a file or message. It also means authenticating 
the sender of an e-mail message. 

"Decryption" means any process to convert ciphertext back into plaintext. 
Decrypting is synonymous to decoding. 

"DES" means the Data Encryption Standard. It is a cipher developed by the 
United States government in the 1970s to be the official encryption algorithm of the 
United States. 

"Digital signature" means systems that allow people and organizations to 
electronically certify such features as their identity, their ability to pay, or the authenticity 
of an electronic document. 

"Encryption" means any process to convert plaintext into ciphertext. Encrypting 
is synonymous to encoding. 

"FTP" means File Transfer Protocol. FTP enables transferring of text and binary 
files over TCP connections. FTP allows transferring files according to a strict mechanism 
of ownership and access restrictions. It is now one of the most commonly used protocols 
over the Internet. 
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"Hamming weight" means the number of "1" bits in the binary representation of a 
nimiber. 

"HTTP" means Hyper Text Transfer Protocol. It is a protocol used to transfer 
hypertext pages across the World Wide Web. 

"IP" means Internet Protocol, and is the underlying protocol for the other Internet 
protocols. IP defines the means to identify and reach a target computer on the network. A 
unique number known as an ff address identifies each computing device in the IP world. 

"IPSec" means Internet Protocol Security. It is a standard for security at the 
network or packet-processing layer of network communication. BPSec provides two 
choices of security service: Authentication Header (AH), which essentially allows 
authentication of the sender of data, and Encapsulating Security Payload (ESP), which 
supports both authentication of the sender and encryption of data. IPSec is a suite of 
protocols that protect client protocols of IP, such as TCP. IPSec describes mechanisms 
that provide data source authentication, data integrity, confidentiality and protection 
against replay attacks. IPSec provides transport mode and tunnel mode operation. Some 
embodiments provide only tunnel mode operation, and others offers a more complete 
IPSec implementation. 

"iSCSI" is a software package that emulates SCSI protocols, but the connection 
method is via an IP network instead of a direct SCSI compatible cable. This is one 
example of IP-based storage. 

"Key" means a collection of bits, xisually stored in a file, which is used to encrypt 
or decrypt a message. 

'TSfetwork protocol" means a standard designed to specify how computers 
interact and exchange messages. It usually specifies the format of the messages and how 
to handle errors. The following Intemet protocols are examples of network protocols: 
ARP, FTP, HTTP, IP, NNTP PPP, SLIP, SMTP, SNMP, TCP, Tebiet, and UDP, 

"NNTP" means Network News Transfer Protocol. It is a protocol used to carry 
USENET postings between News cUents and USENET servers. 
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"PGP" means Pretty Good Privacy. It is a public-private key cryptosystem that 
allows users to more easily integrate the use of encryption in their daily tasks, such as e- 
mail protection and authentication, and protecting files stored on a computer. PGP is 
available for free to individual home users. 

"Plaintext" means the original message or file. After a file or message has been 
encrypted and then decrypted you should end up with the original file or message. 

"PPP" means Point-To-Point protocol, and is a protocol for creating a TCP/BP 
connection over both synchronous and asynchronous systems. PPP provides connections 
for host-to-network or router-to-router. It also has a security mechanism. PPP is well 
known as a protocol for connections over regular telephone lines using modems on both 
ends. This protocol is widely used for connecting personal computers to the Internet. 

"Private key" means the private key of a public-private key cryptosystem. This 
key is used to digitally sign outgoing messages and is used to decrypt incoming 
messages. 

"Public key" means the public key of a public-private key cryptosystem. This key 
is used to confirm digital signatures on incoming messages or to encrypt a file or message 
so that only the holder of the private key can decrypt the file or message. 

"Public key cryptosystem" means an asymmetric encryption algorithm in which it 
is infeasible to derive one key from the other. 

"Public-private key cryptosystem" means a cryptosystem that uses two different 
keys to encrypt and decrypt messages and files. The two keys are mathematically related 
to each other, but deriving one key from the other is infeasible. One key is a public key 
and one key is a private key. The public key is usually distributed to other users, and the 
private key is usually kept secret. 

"Ring arithmetic" means an arithmetic of mathematical structures in which 
addition, subtraction, multipUcation, and their obvious consequences such as 
exponentiation, have the properties and interrelationships usually encountered in high 
school algebra. 
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"SCSr' is an intelligent protocol that enables data blocks to be read at high speed 
from or sent at high speed to storage devices such as disks or tape drives. Early 
implementations of SCSI used ribbon cable and industry standard logic levels. 

"Security association" means a relationship between two or more entities that 
describes how the entities will utiHze security services to communicate securely. This 
relationship is represented by a set of information that can be considered a contract 
between the entities. The information must be agreed upon and shared between all the 
entities. Security association is commonly abbreviated SA. 

"Shotgun multiplication" means a process like that described in this application 
for performing fast computations by performing processing in mathematically 
independent units, taking advantage of more than one basis and precomputed operands, 
and accommodating iterative problems. 

"SLIP" means Serial Line Intemet Protocol, and is a point-to-point protocol to use 
over a serial connection, a predecessor of PPP. There is also an advanced version of this 
protocol known as CSLIP (compressed serial Une intemet protocol) that reduces 
overhead on a SLIP connection by sending just header information when possible, thus 
increasing packet throughput. 

"SMTP" means Simple Mail Transfer Protocol, and is dedicated to sending e-mail 
messages originating on a local host to a remote server over a TCP connection. SMTP 
defines a set of mles that allows two programs to send and receive e-mail over the 
network. The protocol defines the data structure to deliver with information regarding the 
sender, the recipient(s) and the e-mail's body. 

"SNMP" means Simple Network Management Protocol. It is a simple protocol 
that defines messages related to network management. Through the use of SNMP, 
network devices such as routers can be configured by any host on their network. 

"SSL" means Secure Sockets Layer, and is a trademark of Netscape. It is a 
program layer created by Netscape for managing the security of message transmissions in 
a network. The concept is that the programming for keeping messages confidential is to 
be contained in a program layer between an application (such as a Web browser or 
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HTTP) and the Intemef s TCP/IP layers. The "sockets" part of the term refers to the 
sockets method of passing data back and forth between a chent and a server program in a 
network or between program layers in the same computer, 

"SSL/TLS" means compatible with SSL and with TLS. 

"Symmetric key" means the key of a symmetric key cryptosystem. The 
symmetric key is used to encrypt a file or message and also to decrypt the file or 
message. 

"Symmetric key cryptosystem" means a cryptosystem that uses one key to lock 
and unlock — encrypt and decrypt — messages and files. The sender must posses the 
key to encrypt a file or message, and the recipient(s) must possess the key to decrypt the 
file or message. 

"TCP" means Transmission Control Protocol. Like UDP, TCP is a protocol that 
enables a computer to send data to a remote computer. But unlike UDP, TCP is reliable 
— packets are guaranteed to wind up at their target in the correct order, 

"Telnet" is a terminal emulation protocol for use over TCP connections. It enables 
users to logm to remote hosts and use their resources from the local host. 

"TLS" means Transport Layer Security. It is the successor protocol to SSL, 
created by the hitemet Engineering Task Force (IETF) for general communication 
authentication and encryption over TCP/IP networks. TLS version 1 is nearly identical 
with SSL version 3, providing data integrity and privacy on a communications Unk over 
the Intemet. It allows client-server appUcations to communicate and is designed to 
prevent eavesdropping, message forgery, and mterference. 

"TOE" means TCP Offload Engine. TOE technology typically takes the server 
CPU out of I/O processing by shifting TCP/IP processing tasks to a network adapter or 
storage device. This leaves the CPU free to run its applications, so users get data faster. 

"Triple DES" means a method of improving the strength of the DES algorithm by 
using it three times in sequence with different keys. 
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"UDP" means User Datagram Protocol. It is a simple protocol that transfers 
datagrams (packets of data) to a remote computer. UDP doesn't guarantee that packets 
will be received in the order sent or that they will arrive at all 
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